Security News > 2020 > September > Don't be BlindSided: Watch speculative memory probing bypass kernel defenses, give malware root control

Don't be BlindSided: Watch speculative memory probing bypass kernel defenses, give malware root control
2020-09-10 02:59

Some information needs to be leaked from the kernel that reveals the current layout of its components in RAM. If a ROP exploit just guesses the kernel's layout and is wrong, it will trigger a crash, and this can be detected and acted on by an administrator.

"Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects," the paper stated.

The basic memory write vulnerability in this case was a heap buffer overflow patched some time ago in the Linux kernel.

The boffins show that they can break KASLR to run an ROP exploit; leak the root password hash; and undo fine-grained randomization and kernel execute-only memory protections to access the entire kernel text and perform an ROP exploit.

The computer scientists confirmed their technique on Linux kernel version 4.8.0 compiled with gcc and all mitigations enabled on a machine with an Intel Xeon E3-1270 v6 processor clocked at 3.80GHz with 16GB of RAM. They also did so on Linux kernel version 5.3.0-40-generic with all the mitigations enabled on an Intel i7-8565U chip with the microcode update for the IBPB, IBRS and STIBP mitigations.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/09/10/dont_be_blindsided_speculative_memory/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Kernel 3 0 7 4 1 12